From 024105c44c0550596b2a92da55f77c9ffc0fa7c4 Mon Sep 17 00:00:00 2001
From: Fabian <fabian@fh2.ch>
Date: Tue, 24 Nov 2020 21:50:57 +0000
Subject: [PATCH] Make dropbear configuration flexible, closes #13

---
 host/montalin/networking.nix |  15 ++++-
 meta/network.nix             |   4 +-
 role/dropbear/default.nix    | 105 ++++++++++++++++++++++++-----------
 3 files changed, 88 insertions(+), 36 deletions(-)

diff --git a/host/montalin/networking.nix b/host/montalin/networking.nix
index 13f2102..84493bf 100644
--- a/host/montalin/networking.nix
+++ b/host/montalin/networking.nix
@@ -11,17 +11,26 @@ in {
   networking.interfaces.eno1 = {
     ipv4.addresses = [{
       address = montalin-net.v4.ip;
-      prefixLength = plessur-net.lan.v4.bitmask;
+      prefixLength = plessur-net.dmz.v4.bitmask;
     }];
   };
   networking.interfaces.wlp1s0.useDHCP = true;
 
-  networking.defaultGateway = plessur-net.lan.v4.gateway;
-  networking.nameservers = plessur-net.lan.v4.nameservers;
+  networking.defaultGateway = plessur-net.dmz.v4.gateway;
+  networking.nameservers = plessur-net.dmz.v4.nameservers;
 
   # Configure network proxy if necessary
   # networking.proxy.default = "http://user:password@proxy:port/";
   # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
 
   networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  services.dropbear = {
+    enable = true;
+    interface = "eno1";
+    ip = montalin-net.v4.ip;
+    netmask = "255.255.255.0";
+    gateway = plessur-net.dmz.v4.gateway;
+    sshPort = 2222;
+  };
 }
diff --git a/meta/network.nix b/meta/network.nix
index c91b493..ed79d77 100644
--- a/meta/network.nix
+++ b/meta/network.nix
@@ -12,6 +12,8 @@
       v4 = {
         id = "10.1.2.0";
         bitmask = 24;
+        gateway = "10.1.2.1";
+        nameservers = [ "10.1.2.1" ];
       };
 
       hosts = {
@@ -23,9 +25,7 @@
     plessur.lan = {
       v4 = {
         id = "10.1.1.0";
-        gateway = "10.1.2.1";
         bitmask = 24;
-        nameservers = [ "10.1.2.1" ];
       };
 
       hosts = { calanda.v4.ip = "10.1.1.1"; };
diff --git a/role/dropbear/default.nix b/role/dropbear/default.nix
index a24c463..071fcb5 100644
--- a/role/dropbear/default.nix
+++ b/role/dropbear/default.nix
@@ -1,38 +1,81 @@
-{ config, pkgs, lib, ... }:
+{ config, lib, pkgs, ... }:
 
-# Note: This implementation currently only allows eno1 (first interface) with dhcp.
-let
-  ip = "10.1.2.2";
-  gateway = "10.1.2.1";
-  netmask = "255.255.255.0";
-  hostname = config.networking.hostName;
-  primaryInterface = "eno1";
+with lib;
+
+let cfg = config.services.dropbear;
 in {
-  boot.initrd.network = {
-    enable = true;
-    ssh = {
-      enable = true;
-      port = 2222;
-      authorizedKeys = with lib;
-        concatLists (mapAttrsToList (name: user:
-          if elem "wheel" user.extraGroups then
-            user.openssh.authorizedKeys.keys
-          else
-            [ ]) config.users.users);
-      hostRSAKey = /boot/dropbear_rsa_host_key;
-      hostECDSAKey = /boot/dropbear_ecdsa_host_key;
-      # Key generation with dropbearkey -t <type> -f <output-keyfile>
+  options.services.dropbear = {
+    enable = mkEnableOption "dropbear service";
+
+    interface = mkOption {
+      type = types.str;
+      example = "enp0";
+      description = ''
+        Interface name.
+      '';
+    };
+
+    ip = mkOption {
+      type = types.str;
+      example = "192.168.0.1";
+      description = ''
+        Host IP Address.
+      '';
+    };
+
+    gateway = mkOption {
+      type = types.str;
+      example = "192.168.0.1";
+      description = ''
+        IP of gateway.
+      '';
+    };
+
+    netmask = mkOption {
+      type = types.str;
+      example = "192.168.0.1";
+      description = ''
+        Netmask of internal network.
+      '';
+    };
+
+    sshPort = mkOption {
+      type = types.addCheck types.int (n: n > 0 && n < 65536);
+      default = 2222;
+      description = ''
+        SSH Port of the dropbear deamon.
+        Should be different from default SSH port to prevent known hosts collissions.
+      '';
     };
-    postCommands = ''
-      echo 'cryptsetup-askpass' >> /root/.profile
-    '';
   };
 
-  boot.kernelParams = [
-    "ip=${ip}::${gateway}:${netmask}:${hostname}:${primaryInterface}:none"
-  ]; # see https://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt
+  config = mkIf cfg.enable {
+    boot.initrd.network = {
+      enable = true;
+      ssh = {
+        enable = true;
+        port = cfg.sshPort;
+        authorizedKeys = with lib;
+          concatLists (mapAttrsToList (name: user:
+            if elem "wheel" user.extraGroups then
+              user.openssh.authorizedKeys.keys
+            else
+              [ ]) config.users.users);
+        hostRSAKey = /boot/dropbear_rsa_host_key;
+        hostECDSAKey = /boot/dropbear_ecdsa_host_key;
+        # Key generation with dropbearkey -t <type> -f <output-keyfile>
+      };
+      postCommands = ''
+        echo 'cryptsetup-askpass' >> /root/.profile
+      '';
+    };
 
-  boot.initrd.postMountCommands = ''
-    ip link set ${primaryInterface} down
-  '';
+    boot.kernelParams = [
+      "ip=${cfg.ip}::${cfg.gateway}:${cfg.netmask}:${config.networking.hostName}:${cfg.interface}:none"
+    ]; # see https://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt
+
+    boot.initrd.postMountCommands = ''
+      ip link set ${cfg.interface} down
+    '';
+  };
 }